[SPAM] Gmail truncating attachments from MailScanner

foulplay at foulplay.org foulplay at foulplay.org
Mon Apr 30 16:20:24 UTC 2018 

The root cause turned out to be a bug in Exim. Ref: https://bugs.exim.org/show_bug.cgi?id=1974 <https://bugs.exim.org/show_bug.cgi?id=1974>

The fix for me was to add chunking_advertise_hosts = doesnotexist.org <http://doesnotexist.org/> in the global section and hosts_try_chunking = doesnotexist.org <http://doesnotexist.org/> in the remote_smtp transport section of exim.conf.



> On Apr 17, 2018, at 4:21 PM, foulplay at foulplay.org wrote:
> 
> Setting Maximum Archive Depth = 7 worked good. No truncation.
> 
> Putting this back to 8 and disabling the 7zip archiver worked as well.
> 
> I do not have a follow up or any other details yet, since I just finished testing and haven’t done the research if the 7z binary might be the root cause. That is my next step.
> 
> 
> 
>> On Apr 17, 2018, at 4:07 PM, Shawn Iverson <iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>> wrote:
>> 
>> Yeah, that's not the solution, but it narrows down the problem.
>> 
>> Next, can you disable the 7zip archiver...
>> 
>> Change
>> Un7zip Command = /usr/bin/7z
>> Un7zip Command =
>> 
>> Set the depth back to 8 and restart MailScanner.
>> 
>> 
>> 
>> On Tue, Apr 17, 2018 at 4:05 PM, <foulplay at foulplay.org <mailto:foulplay at foulplay.org>> wrote:
>> Gmail now shows the documents (docx and pdf) correctly.
>> 
>> This was set to 8 previously. I took this setting as for MailScanner to scan within compressed file as per the comments. I am not sure if disabling this check is a good idea.
>> 
>> Any thoughts around perhaps a compressed executable passing through the checks?
>> 
>> 
>> 
>>> On Apr 17, 2018, at 3:34 PM, Shawn Iverson <iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>> wrote:
>>> 
>>> Can you try setting the following in MailScanner.conf?
>>> 
>>> Maximum Archive Depth = 0
>>> 
>>> Then restart MailScanner and send the message through.  Does it still get truncated?
>>> 
>>> 
>>> On Tue, Apr 17, 2018 at 3:28 PM, Shawn Iverson <iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>> wrote:
>>> It is indeed truncated, this is missing on the Mailscanner/Gmail one in the Base64 encoding:
>>> 
>>> AAAAAAAAAL83AQBkb2NQcm9wcy9hcHAueG1sUEsFBgAAAAATABMAxAQAABY7
>>> AQAAAA==
>>> 
>>> 
>>> On Tue, Apr 17, 2018 at 3:08 PM, <foulplay at foulplay.org <mailto:foulplay at foulplay.org>> wrote:
>>> 
>>> 
>>>> On Apr 17, 2018, at 1:58 PM, Mark Sapiro <mark at msapiro.net <mailto:mark at msapiro.net>> wrote:
>>>> 
>>>> On April 17, 2018 9:21:07 AM PDT, foulplay at foulplay.org <mailto:foulplay at foulplay.org> wrote:
>>>>> 
>>>>> I seem to be going around in circles between MailScanner and Gmail.
>>>>> Would appreciate any insight that might help me in troubleshooting this
>>>>> further.
>>>> 
>>>> 
>>>> Please create a test email and send it through the problem MailScanner and post the raw message as received. You could look at the message both in Gmail (view original ) and that for a non-truncated message and see if there's any difference, but post that raw message and maybe we can see something.
>>>> 
>>>> 
>>> 
>>> 
>>> This is from Gmail.
>>> 
>>> Delivered-To: XXXXX at gmail.com <mailto:XXXXX at gmail.com>
>>> Received: by 2002:a9d:550c:0:0:0:0:0 with SMTP id l12-v6csp1875991oth;
>>>         Tue, 17 Apr 2018 06:41:42 -0700 (PDT)
>>> X-Google-Smtp-Source: AIpwx4+j3zFCvmaZ2PFx98CgodB/xg2LSSREMdxLV2NDiVXMUGTfbWjqJF2U8HN6fKgATr1Fs+0d
>>> X-Received: by 10.237.39.101 with SMTP id n92mr2523600qtd.215.1523972501998;
>>>         Tue, 17 Apr 2018 06:41:41 -0700 (PDT)
>>> ARC-Seal: i=1; a=rsa-sha256; t=1523972501; cv=none;
>>>         d=google.com <http://google.com/>; s=arc-20160816;
>>>         b=RT/BsmBl9DlyW45oUpg1knmQUqXPShd9/jo026IloQhRKyqzFgzTkxutyLmCg3Pbya
>>>          mVIh2691rjmlJP1PR+RXk+0Y6jxWrTKFNtPpp3oBlrn0HfAYKrkZ2vSa/vZg+BsFTXYt
>>>          fPGIktK+kVBfnb+UUazLWPjCugnsvAwrnCCN1AjX96KJlrOkrfNhESHRAF1RcgARhDRn
>>>          m5tZcN/Ver7GrFXi/rvcW2zTZjYR48jViF6bLwTmEgUfhNVmq22jeVPmdf00NYLntOq4
>>>          HkRT0gkviip9rqT3pUFvyUxixTUgl2wap+fq9XmcMHGME/lUKzO9ffICZa7Nw8311sCH
>>>          g8Iw==
>>> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com <http://google.com/>; s=arc-20160816;
>>>         h=to:cc:date:message-id:subject:mime-version:from
>>>          :arc-authentication-results;
>>>         bh=WZ4q8c6jXzVf2rNCF7iO8zr7YrSC0Jg9gbP30U9RwFE=;
>>>         b=iw0NiFc+6ljVZscRcDzj8ErPM2B8FBpv8lpMHnST8jbFaP9po9VGtcicbBKLZc2c3Z
>>>          cP/h+N/IED8dFbLm0OFhCNROtcJdSHSEI/uJlQeY7Td/4e6atOed4S+PkvX0Dx13xPDN
>>>          MzArO37z9Pi7Pypce1Ou5LN6UU4vGUC3BZpN+5wZkacM0fiYZyWPfJp/vb8a+pCN9i0B
>>>          3MusAkDMxMYw88MZBZXOoZG1wskHVjTmpTcQwHR1hkPN784Hizb51+qjJWPl8BsVXa98
>>>          hbRRDp7cB4Jpz28uDDPQXZMG0XoPKXWoknSul/WrB4oSrJcYc7CiYTLbO2rOyvS5i/Pd
>>>          MEsQ==
>>> ARC-Authentication-Results: i=1; mx.google.com <http://mx.google.com/>;
>>>        spf=pass (google.com <http://google.com/>: domain of xxxx at xxxxxx.xxx <mailto:xxxx at xxxxxx.xxx> designates 1.2.3.4 as permitted sender) smtp.mailfrom=xxxx at xxxxxx.xxx <mailto:smtp.mailfrom=xxxx at xxxxxx.xxx>
>>> Return-Path: <xxxx at xxxxxx.xxx <mailto:xxxx at xxxxxx.xxx>>
>>> Received: from postman2.xxxxxx.xxx [1.2.3.4]
>>>         by mx.google.com <http://mx.google.com/> with ESMTPS id l8si1486350qtb.265.2018.04.17.06.41.39
>>>         for <XXXXX at gmail.com <mailto:XXXXX at gmail.com>>
>>>         (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
>>>         Tue, 17 Apr 2018 06:41:41 -0700 (PDT)
>>> Received-SPF: pass (google.com <http://google.com/>: domain of xxxx at xxxxxx.xxx <mailto:xxxx at xxxxxx.xxx> designates 1.2.3.4 as permitted sender) client-ip=1.2.3.4;
>>> Authentication-Results: mx.google.com <http://mx.google.com/>;
>>>        spf=pass (google.com <http://google.com/>: domain of xxxx at xxxxxx.xxx <mailto:xxxx at xxxxxx.xxx> designates 1.2.3.4 as permitted sender) smtp.mailfrom=xxxx at xxxxxx.xxx <mailto:smtp.mailfrom=xxxx at xxxxxx.xxx>
>>> X-Spam-Status: No
>>> X-MailScanner-Watermark: 1524577246.96058 at lKez6aR7qH9NWYmklf9hQg
>>> X-Postman2-MailScanner-From: xxxx at xxxxxx.xxx <mailto:xxxx at xxxxxx.xxx>
>>> X-Postman2-MailScanner-SpamCheck: not spam (whitelisted),
>>> 	SpamAssassin (not cached, score=0.5, required 9, autolearn=disabled,
>>> 	ALL_TRUSTED -1.00, KAM_INSURE1 1.50)
>>> X-Postman2-MailScanner: Found to be clean
>>> X-Postman2-MailScanner-ID: 1f8Qqh-0001DA-Iq
>>> X-Postman2-MailScanner-Postman2-Information: Please contact the ISP for more information
>>> Received: from bentley.xxxxxx.xxx ([172.16.0.254] helo=macbook-pro-2.xxxxxx.xxx)
>>> 	by postman2.xxxxxxx.xxx with esmtpa (Exim 4.90_1)
>>> 	(envelope-from <xxxx at xxxxxx.xxx <mailto:xxxx at xxxxxx.xxx>>)
>>> 	id 1f8Qqh-0001DA-Iq; Tue, 17 Apr 2018 09:40:43 -0400
>>> From: <xxxx at xxxxxx.xxx <mailto:xxxx at xxxxxx.xxx>>
>>> Content-Type: multipart/mixed;
>>> 	boundary="Apple-Mail=_14CD8B89-808B-4B73-80B4-639157B2F984"
>>> Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
>>> Subject: Test 39
>>> Message-Id: <63EEB38F-DEA2-4D7C-A695-998FEC7196FD at cantella.com <mailto:63EEB38F-DEA2-4D7C-A695-998FEC7196FD at cantella.com>>
>>> Date: Tue, 17 Apr 2018 09:40:31 -0400
>>> Cc: <ABC at non-gmail.com <mailto:ABC at non-gmail.com>>
>>> To: <XXXX at gmail.com <mailto:XXXX at gmail.com>>
>>> X-Mailer: Apple Mail (2.3445.5.20)
>>> 
>>> 
>>> --Apple-Mail=_14CD8B89-808B-4B73-80B4-639157B2F984
>>> Content-Type: text/plain; charset="us-ascii"
>>> Content-Disposition: inline
>>> Content-Transfer-Encoding: quoted-printable
>>> 
>>> 
>>> --
>>> 39 line long disclaimer removed for brevity.
>>> 
>>> 
>>> --Apple-Mail=_14CD8B89-808B-4B73-80B4-639157B2F984
>>> Content-Disposition: attachment;
>>> 	filename="PS Agreement-LLC.docx"
>>> Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document;
>>> 	x-unix-mode=0644;
>>> 	name="PS Agreement-LLC.docx"
>>> Content-Transfer-Encoding: base64
>>> 
>>> UEsDBBQABgAIAAAAIQBndQ8szgEAABsJAAATAAgCW0NvbnRlbnRfVHlwZXNd
>>> LnhtbCCiBAIooAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>>> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>>> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>>> *
>>> *
>>> *
>>> Ai0AFAAGAAgAAAAhALak2Tv0AQAAoQMAABEAAAAAAAAAAAAAAAAAHSwBAGRv
>>> Y1Byb3BzL2NvcmUueG1sUEsBAi0AFAAGAAgAAAAhACjiVUGeBgAAHzoAABIA
>>> AAAAAAAAAAAAAAAASC8BAHdvcmQvbnVtYmVyaW5nLnhtbFBLAQItABQABgAI
>>> AAAAIQD87iYrdwEAAEADAAAUAAAAAAAAAAAAAAAAABY2AQB3b3JkL3dlYlNl
>>> dHRpbmdzLnhtbFBLAQItABQABgAIAAAAIQB2082OIQIAADEEAAAQAAAAAAAA
>>> 
>>> 
>>> ****************
>>> Below is what is received on non-gmail system that was CC’ed.
>>> 
>>> Return-Path: <xxxx at xxxxxx.xxx <mailto:xxxx at xxxxxx.xxx>>
>>> X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on rx8.non-gmail.org <http://rx8.non-gmail.org/>
>>> X-Spam-Level: 
>>> X-Spam-ASN:  
>>> X-Spam-Status: No, score=-0.4 required=1.5 tests=BAYES_00,KAM_INSURE1
>>> 	shortcircuit=no autolearn=no autolearn_force=no version=3.4.1
>>> X-Original-To: ABC at non-gmail.org <mailto:ABC at non-gmail.org>
>>> Delivered-To: ABC at non-gmail.org <mailto:ABC at non-gmail.org>
>>> Received: from localhost (localhost.localdomain [127.0.0.1])
>>> 	by mailhost.non-gmail.org <http://mailhost.non-gmail.org/> (Postfix) with ESMTP id D5AD84399C
>>> 	for <ABC at non-gmail.org <mailto:ABC at non-gmail.org>>; Tue, 17 Apr 2018 09:42:05 -0400 (EDT)
>>> Received: from mailhost.non-gmail.org <http://mailhost.non-gmail.org/> ([127.0.0.1])
>>> 	by localhost (rx8.non-gmail.org <http://rx8.non-gmail.org/> [127.0.0.1]) (amavisd-new, port 10024)
>>> 	with ESMTP id ZxjGE_cKxEMf for <ABC at non-gmail.org <mailto:ABC at non-gmail.org>>;
>>> 	Tue, 17 Apr 2018 09:42:04 -0400 (EDT)
>>> Received: from postman2.xxxxxx.xxx [1.2.3.4]
>>> 	by mailhost.non-gmail.org <http://mailhost.non-gmail.org/> (Postfix) with ESMTP id 7E63F61E13
>>> 	for <ABC at non-gmail.org <mailto:ABC at non-gmail.org>>; Tue, 17 Apr 2018 09:41:28 -0400 (EDT)
>>> DKIM-Filter: OpenDKIM Filter v2.11.0 mailhost.non-gmail.org <http://mailhost.non-gmail.org/> 7E63F61E13
>>> X-MailScanner-Watermark: 1524577246.96058 at lKez6aR7qH9NWYmklf9hQg
>>> X-Postman2-MailScanner-From: xxxx at xxxxx.xxx <mailto:xxxx at xxxxx.xxx>
>>> X-Postman2-MailScanner-SpamCheck: not spam (whitelisted),
>>> 	SpamAssassin (not cached, score=0.5, required 9, autolearn=disabled,
>>> 	ALL_TRUSTED -1.00, KAM_INSURE1 1.50)
>>> X-Postman2-MailScanner: Found to be clean
>>> X-Postman2-MailScanner-ID: 1f8Qqh-0001DA-Iq
>>> X-Postman2-MailScanner-Postman2-Information: Please contact the ISP for more information
>>> Received: from bentley.xxxxxx.xxx ([172.16.0.254] helo=macbook-pro-2.xxxxx.xxx)
>>> 	by postman2.xxxxx.xxx with esmtpa (Exim 4.90_1)
>>> 	(envelope-from <xxxx at xxxxx.xxx <mailto:xxxx at xxxxx.xxx>>)
>>> 	id 1f8Qqh-0001DA-Iq; Tue, 17 Apr 2018 09:40:43 -0400
>>> From: <xxxxx at xxxxx.xxx <mailto:xxxxx at xxxxx.xxx>>
>>> Content-Type: multipart/mixed;
>>> 	boundary="Apple-Mail=_14CD8B89-808B-4B73-80B4-639157B2F984"
>>> Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
>>> Subject: Test 39
>>> Message-Id: <63EEB38F-DEA2-4D7C-A695-998FEC7196FD at cantella.com <mailto:63EEB38F-DEA2-4D7C-A695-998FEC7196FD at cantella.com>>
>>> Date: Tue, 17 Apr 2018 09:40:31 -0400
>>> Cc: <ABC at non-gmail.org <mailto:ABC at non-gmail.org>>
>>> To: <xxxxx at gmail.com <mailto:xxxxx at gmail.com>>
>>> X-Mailer: Apple Mail (2.3445.5.20)
>>> X-Virus-Scanned: clamav-milter 0.99.4 at mailhost.non-gmail.org <http://mailhost.non-gmail.org/>
>>> X-Virus-Status: Clean
>>> 
>>> 
>>> --Apple-Mail=_14CD8B89-808B-4B73-80B4-639157B2F984
>>> Content-Type: text/plain; charset="us-ascii"
>>> Content-Disposition: inline
>>> Content-Transfer-Encoding: quoted-printable
>>> 
>>> 
>>> --
>>> 39 line long disclaimer removed from here as well
>>> 
>>> --Apple-Mail=_963D6525-728C-4D7D-B725-99B55CEBBE9B
>>> Content-Disposition: attachment;
>>> 	filename="PS Agreement-LLC.docx"
>>> Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document;
>>> 	x-unix-mode=0644;
>>> 	name="PS Agreement-LLC.docx"
>>> Content-Transfer-Encoding: base64
>>> 
>>> UEsDBBQABgAIAAAAIQBndQ8szgEAABsJAAATAAgCW0NvbnRlbnRfVHlwZXNd
>>> LnhtbCCiBAIooAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>>> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>>> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>>> *
>>> *
>>> *
>>> Ai0AFAAGAAgAAAAhALak2Tv0AQAAoQMAABEAAAAAAAAAAAAAAAAAHSwBAGRv
>>> Y1Byb3BzL2NvcmUueG1sUEsBAi0AFAAGAAgAAAAhACjiVUGeBgAAHzoAABIA
>>> AAAAAAAAAAAAAAAASC8BAHdvcmQvbnVtYmVyaW5nLnhtbFBLAQItABQABgAI
>>> AAAAIQD87iYrdwEAAEADAAAUAAAAAAAAAAAAAAAAABY2AQB3b3JkL3dlYlNl
>>> dHRpbmdzLnhtbFBLAQItABQABgAIAAAAIQB2082OIQIAADEEAAAQAAAAAAAA
>>> AAAAAAAAAL83AQBkb2NQcm9wcy9hcHAueG1sUEsFBgAAAAATABMAxAQAABY7
>>> AQAAAA==
>>> 
>>> --Apple-Mail=_963D6525-728C-4D7D-B725-99B55CEBBE9B
>>> 
>>> 
>>> 
>>> *****************
>>> Besides the trail end of the two emails being different, I for one have being going blind trying to spot the difference.
>>> 
>>> Hope this helps.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner <http://lists.mailscanner.info/mailman/listinfo/mailscanner>
>>> 
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> Shawn Iverson, CETL
>>> Director of Technology
>>> Rush County Schools
>>> 765-932-3901 x1171
>>> iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> Shawn Iverson, CETL
>>> Director of Technology
>>> Rush County Schools
>>> 765-932-3901 x1171
>>> iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>
>>> 
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner <http://lists.mailscanner.info/mailman/listinfo/mailscanner>
>>> 
>> 
>> 
>> 
>> 
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner <http://lists.mailscanner.info/mailman/listinfo/mailscanner>
>> 
>> 
>> 
>> 
>> 
>> -- 
>> Shawn Iverson, CETL
>> Director of Technology
>> Rush County Schools
>> 765-932-3901 x1171
>> iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>
>> 
>> 
>> 
>> 
>> 
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>> 
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180430/fd9c74c4/attachment.html>

More information about the MailScanner mailing list